Reputation: 123
3-legs in OAuth 2.0
I'm making a program uses Youtube API for testing purpose. Because my program is an installed-application, I've found a picture pointing out how to implement authentication.
It's what I have:
Immediately, I'm confused. According to this figure, I don't know why Google Servers just returns Authorization code after User login and consent.
Why doesn't Google Servers return Token instantly?
Upvotes: 2
Views: 297
Answers (1)
Reputation: 1705
You are Confused because, I guess, you have missed 3rd leg "User". Authorization code represents the User Consent.
Google server returns Authorization code when User grants the permission to your app to get his/her data from google server(resource server). if user denies the permission Google server wont generate the Authorization code and your app wont be able to get access token.
Another use of Authorization_code is to keep resource owners credentials secret. Authorization code is shared with client and client exchanged that code for access_token.
Find more Information about Oauth 2.0 in this article.
Upvotes: 1
Related Questions
- How does 2-legged oauth work in OAuth 2.0?
- Real world scenarios for 2-legged OAuth
- OAuth2 Implementation
- Is the OAuth2 implicit flow always 3-legged?
- Why is there 3-legged OAuth2 when 2-legged works so well?
- Difference between OAuth 2.0 Two legged and Three legged implementation
- Access tokens and 2-legged OAuth2
- OAuth 1.0 - how to implement both 2-legged and 3-legged authentication?
- Implementing a 2 Legged OAuth Provider
- 2-legged OAuth and REST